using System.Text.RegularExpressions;
using System.Web;

namespace LBSoft.Common.DotNetCode
{
    public class SqlFilterHelper
    {
        public static string Filter(string inputString)
        {
            string result;
            if (inputString != "")
            {
                string sql = SqlFilterHelper.SqlFilters(inputString);
                if (sql == "")
                {
                    sql = "敏感字符";
                }
                result = sql;
            }
            else
            {
                result = inputString;
            }
            return result;
        }

        private static string SqlFilters(string source)
        {
            source = source.Replace("'", "'''").Replace(";", "；").Replace("(", "（").Replace(")", "）");
            source = Regex.Replace(source, "select", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "insert", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "update", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "delete", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "drop", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "truncate", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "declare", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "xp_cmdshell", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "/add", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "net user", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "exec", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "execute", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "xp_", "x p_", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "sp_", "s p_", RegexOptions.IgnoreCase); 
            return source;
        }

        /// <summary> 
        /// 获取Get或Post的数据 
        /// </summary> 
        /// <param name="request"></param> 
        /// <returns></returns> 
        public static bool ValidUrlData(string request)
        {
            bool result = false;
            if (request == "POST")
            {
                for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++)
                {
                    result = ValidData(HttpContext.Current.Request.Form[i].ToString());
                    if (result)
                    {
                        break;
                    }
                }
            }
            else
            {
                for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)
                {
                    result = ValidData(HttpContext.Current.Request.QueryString[i].ToString());
                    if (result)
                    {
                        break;
                    }
                }
            }
            return result;
        }
        /// <summary> 
        /// 验证是否存在注入代码 
        /// </summary> 
        /// <param name="inputData"></param> 
        /// <returns></returns> 
        private static bool ValidData(string inputData)
        {
            //验证inputData是否包含恶意集合 
            if (Regex.IsMatch(inputData, GetRegexString()))
            {
                return true;
            }
            else
            {
                return false;
            }
        }
        /// <summary> 
        /// 获取正则表达式 
        /// </summary> 
        /// <returns></returns> 
        private static string GetRegexString()
        {
            //构造SQL的注入关键字符，可根据情况自行增减
            string[] strChar = {
                  "exec"
                , "insert"
                , "select"
                , "update"
                , "delete"
                , "drop"
                , "master"
                , "truncate"
                , "declare"
                , "execute"
                , "SiteName"
                , "/add"
                , "xp_cmdshell"
                , "net user"
                , "net localgroup administrators"
                , "exec master.dbo.xp_cmdshell"
            };
            string str_Regex = ".*(";
            for (int i = 0; i < strChar.Length - 1; i++)
            {
                str_Regex += strChar[i] + "|";
            }
            str_Regex += strChar[strChar.Length - 1] + ").*";
            return str_Regex;
        }
    }
}